Closed alessio-signorini closed 3 years ago
@ianheggie - testing this gem is too complex for the time I have available right now. An alternative solution would be to add a accept_proxied_requests
configuration option which is true
by default but if false
would use request.ip
instead of request.remote_ip
.
Thanks for the PR, I added the change with a configuration flag
If the service where this gem is installed is behind a proxy (e.g., Heroku router, Cloudflare) the
request.ip
will be the one of the proxy instead of the origin.Good proxies (e.g., nginx) add the appropriate forwarding headers to the request to report the origin IP. Rails has the built in
request.remote_ip
method which appropriately parses the header (if present) to extract the origin IP.Applying this small change will make the gem work out-of-the-box even in case of proxies.
I think it is the right thing to do but technically it also allows IP spoofing.